How easy is it to steal hotel loyalty points from someone’s account? Looks easy to me!

16 Comments

• 

  Big D April 12, 2016

  I do like that Hyatt sends an email at the time of booking an award stay.
• 

  Raj April 12, 2016

  Surprised that they do not have adequate checks in place prior to anyone making an award reservation. I am assuming that the hotel reward numbers are not freely available and they should be confirming as such when someone is calling over the phone.
• 

  Ric Garrido April 12, 2016

  I receive emails from IHG too regarding upcoming reward stays. I did not get an email for any of four reward stays in three different programs booked by phone on day of arrival. They did not even appear in my account until after the stays were completed.

  I learned about these reward stays when welcome amenity points posted after the stays.
• 

  Sara J April 12, 2016

  Thank you for the warning. Having a credit card on file is convenient (I have had a phone reservation agent add it without my knowledge) but in the end, I would prefer to input it each time and be safe. I have also had someone get into my marriott account years ago and change my email to an unknown email from a foreign email company. When I reported the fraud to Marriott, the customer service replied, “maybe you asked a friend to book a room for you.” I replied that I only book my own rooms. I changed the password and fortunately, no points were used.
• 

  MSer April 12, 2016

  Moral of the story is for people to stop posting personal details on social media.
• 

  M April 12, 2016

  I have the same concerns with booking and especially changing/canceling airline award tickets over the phone.
• 

  Ric Garrido April 12, 2016

  @MSer – As far as I know my hotel account numbers have never been posted anywhere. I do not use any online services to track my loyalty program accounts.

  The moral of the story is hotel loyalty programs appear to need tighter phone security measures. My loyalty program accounts are all password protected for online transactions.

  Today I phoned to discuss the fraud issue with two different hotel programs and the phone representatives made changes to my accounts over the phone, including creating an entirely new account with one program.

  The only information I provided was my name, address, phone and account number. Neither of the program representatives asked me for my account passwords before making changes to my program accounts. My name, address and phone number are in the local phone book and easily available.

  I doubt it would be too hard to phish around and get a hotel loyalty program account number over the phone. I can think of several different ways to approach the issue of getting an account number over the phone and I am not even a hacker trying to get information.
• 

  Bob April 12, 2016

  I recently had someone book a hotel room using my hotwire account over the phone. I got an email about this stay. They used their name and credit card on the reservation(or perhaps a stolen name and/or credit card- just not mine), but everything was listed under my hotwire account name and number. After calling customer service I was told that this was done by phone. They told me that their agents will book anyone by just giving name and phone info. Hotwire did not seem too concerned about this. I am now monitoring all my accounts! I do not use social media.
• 

  nsx at flyertalk April 12, 2016

  Did you get your stolen points back?
• 

  Lisa April 12, 2016

  It wouldn’t necessarily be more secure if you had been asked for a password. Social hackers are adept at convincing reps why they don’t have/need the password: husband out of town and unreachable, for example, and oh, the roof is leaking all over my house! I just need one night! They play on people’s sympathy.

  Read this article http://fusion.net/story/281543/real-future-episode-8-hack-attack/
• 

  Greg April 12, 2016

  What I would like to know is why didn’t the loyalty program notify you when points were deducted out of your account. I blame the loyalty program for not having a system in place that makes it mandatory for them to send an instant email anytime an award is issued.

  Did you call IHG and ask why an email was not sent out
• 

  razorgeorge April 12, 2016

  I had my email hacked last year. It had to have been a system hack of my provider, which is a joke. Anyway, they got into my loyalty programs and tried to buy a laptop and some other things. My inbox messages were redirected to my trash folder, and the hacker got a copy of everything. It took me a couple of days to realize what happened. I got all of the points back and put a pin number on my accounts to keep it from happening again. Crazy times!
• Stealing Points, New Starbucks Rewards,Hotels for the Wealthy - TravelBloggerBuzz April 13, 2016

  […] Stealing hotel points and staying on your dime points . Done over the phone. Somebody did it with Loyalty Traveler. Wow. You have been warned! […]
• 

  IMH April 13, 2016

  Thanks for keeping us informed. It wouldn’t be difficult (or add much work for customers) for hotel chains and airlines to require ‘second method’ confirmation for redemptions or account changes — especially if someone who only ever manages their account online switches to using the phone. An online booking might require text message confirmation. A phone booking could be confirmed by email.

  Many programmes have something similar in place for address or email changes: a message to the old address saying that a change has been made and asking the customer to call if they didn’t make it.

  (OT: is leaving a comment the only way to get notified of future comments/updates to a post?)
• 

  Ric Garrido April 13, 2016

  @IMH – there used to be a comments subscription link on my page. I had not noticed before, but apparently it was removed when BoardingArea retooled the site last year for mobile viewing.
• 

  Paulo April 13, 2016

  I know that this kind of problem happens with airlines too, at least here in Brazil. In January I had my TudoAzul miles stolen. People used my 38.000 miles to get last minute tickets. I discovered 7 days after the flights because my e-mail was changed by the call center assistence. They created a fake email with my name, called the airline and confirmed my name, date of birth and CPF (brazilian Social Security Number). With this info, they changed my e-mail. Then, they clicked at lost password and got access to my account. I didn’t receive any confirmation because the e-mail was changed. Pretty easy, since all of that info can be hacked from databases of online stores, universities, work, etc.
  One idea that I gave to TudoAzul support is to ask questions that only the owner of the account will know like: Did you flew recently with points? From where to where? Or, what was the last time you earned points with Azul?

  In the end, they returned the points to my account after 1 month but the situation was a stress that could be avoided if they had a safer system.

Comments are closed.